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■ 
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■ 

Appendix 
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Approach:  Critical  Considerations 


■  Align  with  DoD  mission  requirements 

-  Do  no  harm 

-  Support  and  enhance  DoD  mission 

■  Recognize  cost  saving  imperative 

-  Identify  cost  reductions 

-  Seek  operating  efficiency  and  asset  utilization  gains 

-  Consider  positioning  for  future  gains 

■  Address  security  concerns 

-  Understand  current  system  risks  and  vulnerabilities 

-  Understand  cloud-specific  risks 

-  Mitigate  transition  as  well  as  ongoing  operating  risks 

■  Identify  and  capture  ‘lessons-learned’  experiences 

-  Public  sector:  DoD  and  other  government  agencies 

-  Private  sector:  industry,  service  providers,  domain  experts,  and  consultants 
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Approach:  Interviews 


■  Public  Sector  ■ 

Private  Sector 

-  CIO  and  Staff,  DoD 

-  Amazon 

-  CIO,  US  Air  Force 

-  Chevron 

-  CIO,  US  Army 

-  Citigroup 

-  CIO,  US  Navy 

-  CGI 

-  CIO,  Defense  Intelligence  Agency 

-  CSC 

-  CIO,  Defense  Logistics  Agency 

-  First  Data  Corporation 

-  CIO,  Dept  of  Homeland  Security 

-  Forrester  Research 

-  CIO,  US  Government 

-  Gartner  Group 

-  Director  and  Staff,  NSA 

-  IBM  Corporation 

-  Vice  Chairman,  Joint  Chiefs  of  Staff 

-  Kimberly  Clark  Corporation 

-  Principal  Deputy  Under  Secretary  of 

-  Palantir 

Defense,  AT&L 

-  Director  of  Computing  Services  and  CTO, 
Defense  Information  Services  Agency 

-  Thompson,  Cobb  &  Bazilio 

■  See  Appendix  for  documents  reviewed 
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Context:  DoD  IT  Today 


■  FY12  DoD  IT  Budget  $38.5B 


DoD  IT  Scale 

772+  data  centers 
6,000+  locations;  15,000+  networks 
70,000+  servers;  3  million+  networked  users 
7  million+  IT  devices 
5,000+  applications 
Approx.  90,000  full-time  employees 


lelec  ommumc  a  tons 
$9.9  Billion/ 41% 


Non- Infra  structure 
(Systems  Acquisition) 
$14.5  Billion 
38% 


DoD  IT  Infrastructure  $24.0B 


Infrastructure 
$24  Billion 

62% 


End  User  Systems 
$5.1  Billion/  21% 


Infra  structure  Support 
$6.5  Billion/ 27% 


Mainframes  &  Sewers 
$2.5  Billion/ 11% 
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Context:  DoD  Readiness  for  DCC/Cloud 


■  Interviews  indicate  wide  support  across  DoD  for  DCC/Cloud 

-  Cost  savings  and  efficiency  benefits  are  widely  understood 

-  Budget  imperatives  create  environment  for  making  major  changes 

-  Early  DoD  initiatives  already  showing  positive  results 

Despite  stated  willingness  to  work  together,  passive  resistance  is  likely 

-  Loss  of  visibility,  control,  dedicated  staff,  and  contractors 

-  Required  cultural  and  job  changes  will  pose  significant  challenges 

-  Requests  for  exceptions  will  proliferate 

■  Concerns  expressed  about  loss  of  mission  capability 

-  Particular  concern  expressed  about  migration  process 

-  Recognition  that  current  workforce  may  be  inadequately  trained 

-  Desire  for  greater  transparency,  service  focus  on  output  metrics,  and  service- 
provider  accountability 


Key  issue  requiring  explicit  decision:  IT  optimization  at  what  level? 
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■  Cost  Savings 

■  Return  on  Investment  (ROI) 

■  Security 

■  Mission  Effectiveness 

■  Mission  Transformation 

■  Implementation 
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Findings:  Visible  and  Hidden  Costs  &  Spending 


Staff,  hardware,  software,  enterprise  purchases 


Excessive  purchasing  due  to  long  procurement/deployment  cycles 
High  support  costs  to  maintain  independent  systems,  multiple 
networks,  and  duplicative  infrastructure 

High  labor  costs  due  to  inefficient  staff  utilization 
Underutilization  of  servers  and  untracked  O&M  purchases 
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Examples  of  Cost  Savings  and  Efficiencies 


CATEGORY 

REDUCTION 

EXAMPLE 

Data  Centers 

Number:  50% 

Cost:  25-50% 

Typical  payback  is  5  years 

Servers 

70% 

80  — ►  4;  leverage  virtual  machines 

Server 

Provisioning 

95% 

73  days  — ►  less  than  1  day 

Application 

Development 

90% 

45  days  — >  4  days 

Bandwidth 

Utilization 

70-90% 

ROI  in  less  than  1  year 

Personnel 

40% 

Most  organizations  retrain  support  staff 
into  applications  staff 

Cost-saving  estimates:  25-50 %  in  total  annual  expenditures 
DCC/Cloud  initiatives  illuminated  robust  ‘ shadow 9  IT  infrastructure . 
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Findings:  Return  on  Investment 


■  Private  sector  ROI  tends  to  be  case-specific;  often  DCC/Cloud 
migrations  are  combined  with  other  initiatives 

■  However,  some  conclusions  can  be  drawn: 

-  ROI  achieved  consistently  ahead  of  projected  goals  in  both  dollars  and  time 

-  Sustained  reductions  achieved  only  with  initial  up-front  investment 

-  Unanticipated  positive  secondary  effects  were  considerable 

■  Continuation  of  status  quo  has  a  negative  ROI 

■  Additional  non-IT  ‘invisible’  ROI  achieved  by  reduction  of  procurement 
and  deployment  cycles  and  redeploying  staff  to  higher  value  activities 


While  there  are  no  ‘ rules  of  thumb'  regarding  ROI  benchmarks ,  in  all 
reported  cases  ROI  was  greater  than  originally  anticipated. 
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Findings:  Security 


■  Myth:  Cloud-based  systems  are  ‘less  secure’ 

Reality:  Current  systems  are  difficult  to  defend 

Security  will  decline  over  time 

Properly  designed  Cloud  systems  can  be  more  secure 


Myth:  Cloud  will  lead  to  lower  performance  levels  for  the  user 


Reality:  Cloud  can  offer  enhanced  and  breakthrough  performance 


Myth: 

Reality: 


‘All  eggs  in  one  basket’  creates  a  new  critical  failure  risk 

Realistically  one  never  goes  to  ‘one  basket’ 

Cloud  provides  greater  insurance  v.  critical  failure  risks 
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Findings:  Mission  Effectiveness 


■  Significant  benefits  came  from  unexpected  areas 

-  Increased  speed  of  data  to  users;  facilitated  information  sharing  and  collaboration 

-  Greater  enterprise  understanding  due  to  increased  visibility  across  all  operations 

-  Staff  productivity  improvement  due  to  shift  of  focus  from  infrastructure  maintenance  to 
applications  development,  support,  and  service 

■  Large  gains  derived  from  change  in  personnel/staffing  model 

-  Staff  can  be  where  best  talent  resides;  does  not  need  to  be  location-specific 

-  Fewer  systems,  networks,  and  enclaves  require  support 

-  Allows  significant  reduction/redeployment  of  contractor  staff 

■  Current  system  hurts  effective  mission  operations 

-  Architecture  makes  it  nearly  impossible  to  share  critical  data  on  a  timely  basis 

-  Proprietary  systems  and  closed  architecture  make  in-theatre  upgrades  difficult 

-  Lack  of  common  standards  make  collaboration  difficult 

-  Lack  of  portable  ID  forces  individuals  to  be  ‘reinvented’  with  every  change 

-  Weak  security  creates  need  for  more  enclaves  and  dedicated  networks 
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Findings:  Mission  Transformation 


■  Enables  ‘thinner’  computing  and  new  operating  model 

-  Reduces  hardware,  software,  upgrade,  and  maintenance  costs 

-  Increases  quality  and  timeliness;  decreases  risks  of  ‘in-theatre’  support 

-  Increases  portability  of  IT  systems;  lowers  risks  of  loss;  improves  mission  security 

■  Increases  value  of  data;  improves  situational  awareness 

-  Decreases  fragmentation  of  data;  increases  accessibility 

-  Facilitates  ‘big  data’  analytics 

■  Changes  balance  and  costs  of  network  defense/attack 

-  Decreases  points  of  entree;  fewer  networks  to  penetrate 

-  Enables  stronger  security,  redundancy,  and  recovery;  allows  more  rapid  upgrades 

-  Increases  required  sophistication  and  costs  to  attackers 

■  Shifts  emphasis  of  cyber  security  from  network  protection  to  data 
integrity  and  identification/authentication 

■  Provides  platform  for  future  innovation 
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Findings:  Implementation  -  Authority 


Strong  governance  and  leadership  are  the  most  important  factors 

-  Without  it  the  initiative  will  fail;  must  be  ‘owned’  by  CEO,  not  CIO 

-  Must  have  authority  to  say  ‘no’;  passive  resistance  can  not  be  tolerated 

■  Establishing  clear  strategy  and  ‘Concept  of  Operations’  is  essential 

-  Address  both  transition  and  steady-state  operations 

-  Include  risk  analysis  and  mitigation  strategies 

-  Focus  on  training  and  retraining  of  personnel 

-  Develop  specific  milestones,  deadlines,  and  metrics 

■  Legal  and  policy  barriers  work  against  success;  must  be  resolved 

-  Title  10  sets  redundant  authorities  over  business  systems 

-  Requirement  that  every  Service  must  ‘own  its  own  data’  is  unclear 

-  Federal  acquisition  regulations  are  out  of  synch  with  speed  of  technology  change 
and  evolving  mission  requirements 
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Findings:  Implementation  -  ‘Aim’  before  ‘Fire’ 


Current  system  configurations  will  be  difficult  to  rationalize  and 
maintain  given  proliferation  of  systems  across  DoD 

■  Successful  migrations  have  followed  a  sequenced  approach: 

-  Step  1:  Applications  normalization,  standardization,  and  rationalization 

-  Step  2:  Data  center  rationalization  and  consolidation 

-  Step  3:  Data  and  security  rationalization 

-  Step  4:  Cloud  migration  of  appropriate  components 

■  Standardization  on  numerous  fronts  will  strengthen  security 

■  Consolidation  and  Cloud  initiatives  are  already  underway  but  may  be 
inconsistent  with  goal  to  optimize  at  DoD  enterprise  level 

■  Sequenced  approach  to  migration  will  provide  transparency,  build 
confidence,  and  reduce  risk 
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Findings:  Implementation  -  Change  Management 


Incentives  around  common  goals  are  critical  to  changing  behavior 

-  Early  successes  were  encouraged,  visible,  and  rewarded 

-  Applying  some  of  savings  to  fund  future  upgrades  delivered  long-term  buy-in 

-  Emphasis  on  staff  retraining  rather  than  reduction  created  powerful  motivator 

■  Encourage  pilot  programs;  don’t  fight  the  entire  system 

-  Build  on  current  initiatives  as  long  as  compatible  with  strategy  and  Concept  of 
Operations  (ConOps) 

-  Create  ‘user-pull’  by  moving  desirable  and  ‘easy/safe’  apps  to  Cloud  first 

-  Communicate  benefits  and  value  of  the  change  (steady-state),  not  the  process 

■  Risk  Management 

-  Sequenced  approach  to  migration  will  greatly  reduce  risk 

-  Use  commercially-proven  technology  where  possible;  avoid  the  ‘cutting  edge’ 

-  Expertise  and  track  record  are  key 


Owners  must  be  willing  to  trade  control  for  greater  efficiency, 

lower  costs,  and  increased  effectiveness. 
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1 .  Establish  single  strong  governance  authority 

DEPSECDEF  must  ‘own’  initiative;  CIO  drives  effort,  but  it  cannot  be  a  CIO  initiative 

-  CIO  must  have  ability  to  drive  change,  say  ‘no,’  and  force  compliance 

-  CIO  must  develop  standardized  and  transparent  metrics  across  DoD 

-  Do  not  create  a  new  committee  to  oversee  effort;  will  create  confusion 

2.  Develop  a  coordinated,  integrated  strategy  to  optimize  at  the  DoD  level 

-  Establish  clear  timeline,  milestones,  budget,  and  Concept  of  Operations 

Engage  Service/Agency  CIOs  as  chief  implementers  accountable  to  the  DoD  CIO 

Leverage  DISA  role;  insist  on  commercial-like  service  level  agreements,  metrics, 
and  accountability 

3.  Streamline  legal  and  procurement  authorities  to  address  policy  barriers 

-  Align  Title  10  responsibilities  with  IT  modernization  governance  authority 

-  Establish  rapid  and  consolidated  procurement  capability  for  IT  purchases 
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4.  Use  sequenced  approach  to  data  center  consolidation 

-  Normalize,  standardize,  and  rationalize  critical  elements  first 

-  Prioritize  around  applications,  then  infrastructure,  and  then  data/security 

-  Set  deadlines  for  termination  of  legacy  systems,  personnel,  and  contractors 

-  Launch  Cloud  pilot  initiatives  that  offer  immediate  user  benefits 

-  Accelerate  Cloud  when  its  purpose  and  desired  benefits  are  clear 

5.  Utilize  commercial  business  model  to  set  targets/manage  expectations 

Establish  multi-year  budget  plan;  require  audit-level  transparency;  use  ROI  metric 

-  Develop  shared  model  to  enable  both  savings  and  capability  upgrades 

Establish  specific  output-based  metrics  for  transition,  operations,  continued 
business  improvement,  and  mission  support 

-  Optimize  staff  for  new  work  mix/model;  invest  in  training 

-  Utilize  DoD  incentive  and  reward  programs  to  drive  behavioral  changes 
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■  DCC/Cloud  is  a  strategic  DoD  enterprise-level  imperative 

-  DoD  CIO  has  a  good  roadmap  and  can  drive  initiative  on  behalf  of  DEPSECDEF 

-  DoD  CIO  needs  to  be  a  strategic  partner,  not  a  back-office  support  provider 

■  Benefits  are  dramatic  and  far-reaching 

-  Cost  savings,  efficiency  gains,  and  security  enhancements  are  significant 

-  New  architecture  provides  platform  for  future  innovation 

-  Mission  support  improvement  and  ultimate  transformation  are  greatest  benefits 

■  Failure  to  act  decisively  is  a  decision,  and  the  wrong  one 

-  DoD  initiatives  are  already  underway;  independent  and  uncoordinated  actions 
will  increase  barriers  to  coordination  and  information  sharing 

-  Costs  will  skyrocket  and  service  levels  will  decrease  given  need  to  maintain 
legacy  systems;  future  rationalization  will  be  harder  and  more  expensive 

-  Security  will  fall  further  behind,  leaving  entire  IT  network  increasingly  vulnerable 

-  IT  costs  (given  DoD  ‘color  of  money’)  are  direct  tradeoff  v.  warfighter  support 
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DEFENSE  BUSINESS  BOARD 


Questions? 


Defense  Business  Board 


Business  Excellence  In  Defense  of  the  Nation 
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Appendix 


Defense  Business  Board 


Business  Excellence  In  Defense  of  the  Nation 
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DoD  documents  and  briefings 

■  “Defense  Information  Infrastructure:  Rationale  for  Defense  Management  Report 
Decision  (DRMD)  918,”  Cynthia  Kendall,  Deputy  Assistant  Secretary  of  Defense 
(Information  Systems),  September  1992 

■  Defense  Intelligence  Agency  Strategic  Vision  Overview  2012-2016 

“Department  of  Defense  Information  Technology  Enterprise  Strategy  and  Roadmap,” 
DoD  Chief  Information  Officer,  September  6,  201 1 

“Department  of  the  Navy  Information  Management/Information  Technology/  Cyberspace 
Campaign  Plan  for  Fiscal  Years  2011-2013,”  Terry  Halvorsen,  DON/CIO,  May  201 1 

Federal  Data  Center  Consolidation  Initiative;  Department  of  Defense  201 1  Data  Center 
Consolidation  Plan  &  Progress  Report,  November  8,  2011 

Remarks  by  Deputy  Secretary  Lynn  at  the  201 1  DISA  Customer  and  Industry  Forum, 
Baltimore,  MD,  August  16,  2011 

■  Title  10  USC;  Subtitle  A;  Part  IV;  Chapter  131;  Section  2222  Defense  business  systems: 
architecture,  accountability  and  modernization;  January  2009 
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US  Government  documents 


■  “25  Point  Implementation  Plan  to  Reform  Federal  Information  Technology 

Management,”  Vivek  Kundra,  U.S.  Chief  Information  Officer,  December  2010 

“Cyberspace  Policy  Review:  Assuring  a  Trusted  and  Resilient  Information  and 
Communications  Infrastructure,”  The  White  House,  May  29,  2009 

“Data  Center  Consolidation;  Agencies  Need  to  Complete  Inventories  and  Plans  to 
Achieve  Expected  Savings,”  Government  Accounting  Office  Report  11-565,  July  201 1 

“Information  Security:  Additional  Guidance  Needed  to  Address  Cloud  Computing 
Concerns,”  Gregory  C.  Wilshusen,  GAO  12-130T,  October  6,  2011 

“Information  Security:  Federal  Guidance  Needed  to  Address  Control  Issues  with 
Implementing  Cloud  Computing,”  Government  Accounting  Office  Report  GAO  10-513, 
May  2010 

“Memorandum  for  Chief  Information  Officers,  Subject:  Security  Authorization  of 
Information  Systems  in  Cloud  Computing  Environments,”  Steven  VanRoekel,  Federal 
CIO,  December  8,  201 1 

“State  of  Public  Sector  Cloud  Computing,”  Vivek  Kundra,  Federal  CIO,  May  20,  2010 


These  are  the  final  briefing  slides  as  approved  by  the  Defense 
Business  Board  in  the  public  meeting  held  January  19,  2012.  * 


24 


DEFENSE  BUSINESS  BOARD  t.  > 


Documents  Reviewed 


US  Government  documents  (cont’d) 

■  “VA  Information  Technology  Strategy,”  Statement  of  Joel  Willemssen,  Managing 
Director,  Information  Technology  U.S.  Government  Accountability  Office  before  the 
House  Veterans  Affairs  Subcommittee  on  Oversight  and  Investigations 

Industry  reports  and  reference  material 

■  “IT  Service  and  Cloud  Computing  Transformation  Strategy,”  Gartner  Consulting, 
September  201 1 

■  “Cloud  First  Buyers  Guide  for  Government,”  TechAmerica  Foundation 

“Security  Risks  in  Cloud  Computing;  a  Preliminary  View  from  the  IREC  Membership,” 
Information  Risk  Executive  Council,  2010 

■  “Enterprise  Data  Center  Consolidation  in  the  States:  Strategies  and  Business 
Justification,”  NASCIO,  August  2007 

■  “Hype  Cycle  for  Virtualization,”  Philip  Dawson,  Gartner,  Inc.,  July  22,  2010 

“Key  Issues  for  Securing  Public  and  Private  Cloud  Computing,  2011,”  John  Pescatore, 
Gartner,  Inc.,  April  15,  2011 

“Amazon’s  Corporate  IT  Migrates  Business  Process  Management  to  the  Amazon  Web 
Services  Cloud,”  Amazon  Web  Services,  April  201 1 
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Documents  Reviewed 


Press  articles  and  speeches 

■  “A  Break  in  the  Clouds:  Towards  a  Cloud  Definition,”  Luis  Vaquero,  et  al 

■  “Federal  IT  Needs  A  Cost-Savings  Dashboard,”  John  Foley,  In  formation  Week 
Government,  December  12,  2011 

“GAO  Faults  Pentagon  Cyber  Efforts,  Lack  Of  Clarity,”  Ellen  Nakashima,  Washington 
Post,  July  26,  2011 

■  “Military  Networks  'Not  Defensible,'  Says  General  Who  Defends  Them,”  Noah 
Shachtman,  Danger  Room  (Wired.com),  January  12,  2012 

“Navy,  Marine  Corps  Under  Orders  To  Slash  IT  Spending,”  Nicole  Blake  Johnson, 

Federal  Times,  August  10,  201 1 

■  “Navy  Details  Data  Center  Consolidation  Plan,”  Bob  Brewin,  NEXTGOV  July  26,  201 1 

■  “Preparing  for  the  Real  Costs  of  Cloud  Computing,”  Bob  Violino,  Computerworld, 
December  5,  201 1 

“Selling  Umbrellas  in  the  Rain,”  Dean  lacovelli,  www.public-cio.com,  February  201 1 

■  “The  Agile  Infrastructure;  Digital  Spotlight  Datacenters,”  Robert  L.  Scheier, 

Computerworld,  December  2011 
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Documents  Reviewed 


Press  articles  and  speeches  (cont’d) 

■  “The  Coming  Cyber  Wars,”  Richard  Clarke,  Boston  Globe,  July  31 ,  201 1 

“Under  Pressure:  The  Pentagon  Faces  a  Business  Challenge  at  Military  Scale,”  John 
Foley,  InformationWeek,  November  28,  2011 
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